Help

Yosemite 10.10.5 keychain issues with AD users and Casper Imaging...

tu-egadsby
New Contributor

Posted on ‎08-28-2015 04:54 PM

Dear Friends,

I am working on a Yosemite 10.10.5 "image" using Casper Imaging. Our use log-in using AD. At first log-in these users get the Keychain reset pop-up. These users have never logged on before so it's some I am deducing that it's a left over from the dummy user I used to make packages with Casper. I have tried to use Casper imaging to replace ~/Library/Keychains/ with an empty folder but that didn't seem to work. Any fellow Casper users found a good solution to this?

These are students logging into a drop-in style lab so removing the keychain at the start of a session really doesn't bother me and I guess I could script that but I wanted to see if anybody had found another way using the JSS or other tools. Thanks in advance for helping me tighten my thinking cap!

Sincerely,

Eric T Gadsby

0 Kudos
3 REPLIES 3

archimboldi
New Contributor II

Posted on ‎08-28-2015 11:54 PM

Hi, Eric

I have been dealing with these issues too, and have yet to come up with a good solution. In our AD environment it is happening to existing/established users on their primary workstations - not just on first login. Questions:

Is AD forcing a password change at first login?

Are you seeing popups for the local items keychain, the login keychain, or both?

Since your issue is affecting only first logins, you could script the deletion of one or both keychains and deploy the script with a policy scoped to the the machine and triggered by login with a frequency of "once per user". The problem with deleting the keychains is that it requires an immediate reboot - not exactly an ideal solution. I wonder if their is a way to recreate the keychains without rebooting. If you want to script it you could do something like this:

userName=/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'
LIKC=system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}'
rm -rf /Users/$userName/Library/keychains/$LIKC

The last line deletes the the local items keychain only; if you need to delete login.keychain as well (or instead) you can edit accordingly. Deleting the login keychain is a last resort for me, since it contains wifi certs, etc that have to be re-created. I'm also very curious to hear how others are managing these keychain issues in AD environments.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎08-29-2015 08:09 AM

@tu-egadsby & @archimboldi I'd have a look through the packages you've created & remove any items within ~/Library/Keychains from them & then try.

It's not common to have keychain issues on new accounts.

0 Kudos

Kprice
New Contributor III

Posted on ‎08-29-2015 04:36 PM

Do you happen to have any .dmg installers that are set to FEU/FUT? I went round and round with the Keychain folder not being created properly and found that to be an issue. Check this out, might help. In my case I was just reimaging to solve the problem. https://jamfnation.jamfsoftware.com/discussion.html?id=6211

0 Kudos